The case for pre-emptive defence
Vessel Impersonation Report
Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Tactical Cyber Intelligence Reporting
Vessel Impersonation Report Feb Wk4
| First Seen | Subject Line Used | Malware Detections | Sending Email | Targets |
|---|---|---|---|---|
| Feb 20, 2020 | ARRIVAL NOTICE MV. TAHO EUROP | Trojan:Win32/Vigorf.A | [email protected] | Target not disclosed |
| Feb 21, 2020 | RE : MV OCEAN PRIDE V083 - PORT AGENT NOMINATION | Trojan:Win32/Wacatac.C!ml | "FAR EAST LINES LIMITED" [email protected]> | Target not disclosed |
| Feb 21, 2020 | M.V. \xe2\x80\x9c Ever Success\xe2\x80\x9d docking repair on mid of Mar | Trojan:Win32/Lokibot.ART!eml | "Stavros Labrinakos" [email protected]> | taxgate.gr |
| Feb 21, 2020 | NOMINATION//MV SHINSUNG BRIGHT V20004 KWG-NSA DISH STEEL PRODUCT 5700MT\r\n (POSCO) | Trojan:Win32/Wacatac.C!ml | [email protected] | e1.co.kr |
| Feb 23, 2020 | Ocean Network Express (Europe) Ltd:BL/OLYAEYSZPBP1110-75370021 | Trojan:Win32/Wacatac.D!ml | “7ZWc7J287ZmY6rK96riw7Iig “[email protected] | naver.com |
| Feb 24, 2020 | BUNKER ESTIMATE - M/V GOLDEN STAR | Trojan:Win32/Tiggre!ctv | [email protected] | Target not disclosed |
| Feb 24, 2020 | Fwd: RE: M/T TORM HARDRADA V.203- PDA REQUIRED FOR LOADING BARSAH\r\n LIGHT CRUDE OIL. | Trojan:Win32/Sonbokli.A!cl | “Grabiel Alexander Ordinola Gonzales” [email protected] | holascharff.com |
| Feb 25, 2020 | OCEAN BREEZE CHARTERING ORDER LIST P.O #345267 | Trojan:Win32/Wacatac.C!ml | "Mamunul Hoque" [email protected] | Target not disclosed |
| Feb 25, 2020 | MV LUCKY SOURCE V.2003 - EPDA OF DISCHARGE STL PRODUCTS AT HK PORT | Trojan:Win32/Wacatac.D!ml | "[email protected]" [email protected] | Target not disclosed |
| Feb 25, 2020 | RE: RE: M/T TORM HARDRADA V.203- PDA REQUIRED FOR LOADING BARSAH | Trojan:Win32/Sonbokli.A!cl | "FPSHIPPING(SINGAPORE)PTE.LTD." [email protected] | holascharff.com |
| Feb 26, 2020 | FW: MV PACIFIC SELINA- Dry-docking Repair Specification | Trojan:Win32/VBObfuse.SO!eml | CHINA SHIPPING BULK CO., LTD [email protected] | Target not disclosed |
| Feb 26, 2020 | Re: Nord Treasure - Calling Port Elizabeth // Items for Quotation// | Trojan:Win32/Sonbokli.A!cl | [email protected]> | telaurus.net |
In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we see a large percentage of these malicious emails attempting to deliver Wacatac, both C and D variants showing up. Vessel names seen include “MV. TAHO EUROP”, and “M/T TORM HARDRADA” among others.
An email was observed attempting to impersonate “MV Golden Star” using a subject line of “BUNKER ESTIMATE – M/V GOLDEN STAR”. According to maritimetraffic.com, this name is very common and used by multiple different carriers.
Analysis reveals that the malicious email was sent from a typo squatted domain. The sender domain is “Labcosulich[.]com” which is an apparent typosquat on the legitimate domain owned by an Italian marine/energy services company Lab Cosulich Consultants – “labcosulichconsultants[.]com”
The message contains an attached Excel spreadsheet identified by Microsoft as the Trojan:Win32/Tiggre!ctv malware. The message body consists of a bunkering order for the vessel, and the different costs associated with said order. However, opening the attachment titled “MV-GOLDEN STAR.xlsx” could activate the malware. Trojan:Win32/Tiggre!ctv is Windows malware which commonly infects victims to use their computing resources for crypto mining.
In another example, we see an email attempting to impersonate the vessel “M/T TORM HARDRADA” using the subject line “RE: RE: M/T TORM HARDRADA V.203- PDA REQUIRED FOR LOADING BARSAH”.
The vessel name belongs to a Singaporean crude oil tanker destined for Veracruz, Mexico. Analysis of the email shows it was sent to a Peruvian freight company called Scharff. The email is sent from a Google mail server, but the sender identifies themselves as part of FP Shipping which is a Singaporean freight company..
An attachment titled “MT TORM HARDRADA.xlsx” is identified by Microsoft antivirus engine as Trojan:Win32/Sonbokli.A!cl. This malware uses Powershell to connect to command and control servers to download additional malware on the victim device.
Lastly, a malicious email was sent from an “Ever Grand Logistics Limited”, specifically Hunter Yang. The email was sent and received from the same email; however the reply-to email is a Gmail account – “johnybmt@gmail[.]com”. This email has been used to target multiple other maritime targets as far back as July 2019. The subject line “NOMINATION//MV SHINSUNG BRIGHT V20004 KWG-NSA DISH STEEL PRODUCT 5700MT\r\n (POSCO)” suggests the message contains information about the vessel. However, the email actually contains Trojan:Win32/Wacatac.C!ml malware disguised as “MV SHINSUNG BRIGHT V20004.rar”. The message comes across as very polite, but it is clear from the sentence structure that the email sender is not a native English speaker.
Our Experts Say
Dryad Assessment
Typically, the use of language is a good indicator of a spoofed message. Errors in grammar and punctuation can indicate a non-native English speaker originated a message. This is especially indicative when the attacker is trying to impersonate a sender who is expected to fluently speak and write the language. Overall, the use of language in this message is good, but on close inspection there are punctuation errors, capitalization errors, and slight phrasing issues throughout.
These analyses illustrate how opening any infected email, could cause a recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.
Pre-empt, don’t just defend
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Senders
Top 5 Maliciouse Maritime Email Senders
| Sender | Malware Sent |
|---|---|
| [email protected] | Trojan-Dropper.Java.Agent.av, HEUR:Backdoor.Java.QRat.gen, HEUR:Exploit.MSOffice.Generic |
| [email protected] | Trojan-Dropper.Java.Agent.av, |
| HEUR:Backdoor.Java.QRat.gen, Trojan:Win32/Wacatac.C!ml | |
| [email protected] | Trojan:Win32/Wacatac.C!ml, |
| Trojan:Win32/Lokibot.ART!MTB, | |
| Trojan:Win32/Tiggre!ctv | |
| [email protected] | Trojan:Win32/Vigorf.A |
| [email protected] | Trojan:Win32/Occamy.C |
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
